An individual’s personal financial data would be transferred for no charge from one financial provider – including financial institutions, credit card issuers, and others – to another under a new rule finalized early Tuesday by the federal consumer financial protection agency.
“Consumers will be able to more easily switch to providers with superior rates and services,” the Consumer Financial Protection Bureau (CFPB) said in a release. “By fueling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit, and banking markets.”
The bureau asserted that the regulation – dubbed the Personal Financial Data Rights Rule (also known as “open banking” or the “1033 rule”) — ensures consumers will be able to access and share data associated with bank accounts, credit cards, mobile wallets, payment apps, and other financial products.
“[The rule] aims to address market concentration that limits consumer choice over financial products and services,” the bureau said. “Consumers will be able to access, or authorize a third party to access, data such as transaction information, account balance information, information needed to initiate payments, upcoming bill information, and basic account verification information. Financial providers must make this information available without charging fees.
CFPB said compliance with the rule will be implemented in phases, with larger providers subject to the rule sooner than smaller ones. Financial firms will be required to comply based on their size; the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030.
Certain small banks and credit unions are not subject to this rule.
In June, the bureau issued a rule that it said launched the process for recognizing “open banking” standards. The CFPB said then that the rule aimed to prevent “dominant incumbents from squelching startups.” It did that, CFPB said, by giving the agency power to revoke the recognition of standard setters and set a maximum recognition duration of five years, after which recognized standard setters will have to apply for re-recognition.
Tuesday’s rule, according to CFPB, “will spur greater choice and increase competition.” It does that, the agency said, by enabling people to fire fintechs and banks that provide lousy service, shop for better rates on products and credit, and make secure payments, including with “pay-by-bank.”
“The rule ensures consumers are able to securely share payments information, which can help enable what is sometimes referred to as pay-by-bank,” the agency wrote. “Such products enable consumers to pay merchants, peers, and others, as well as move money between their own accounts. The rule will help bring greater competition to payments markets, which have long been an area of anti-competitive practices.”
CFPB said the rule also strengthens consumer protections in two key ways: by banning bait-and-switch data harvesting, and by creating revocation and deletion rights.
Under the bait and switch protection provision, the bureau said third parties can only collect, use, or retain data to deliver the product the consumer requested. “They cannot secretly collect, use, or retain consumers’ data for their own unrelated business reasons – for example, by offering consumers a loan using consumer data that they also use for targeted advertising,” the agency stated. While the rule does not prohibit any particular uses of data, it requires that “all use be driven by what is necessary to deliver the product sought by the consumer.”
Under revocation and deletion rights, the rule requires that, when a person revokes access, data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year, absent express reauthorization. “To prevent “dark patterns” from emerging, the process to revoke access must be simple and straightforward,” the agency said.